Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe
Resource
win10v2004-20241007-en
General
-
Target
57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe
-
Size
480KB
-
MD5
2be0a62d14bec20a8c87c8983cd00474
-
SHA1
ec4c0d7cbbd50f2b166a15e4eef5a817bc59246e
-
SHA256
57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649
-
SHA512
a703b74d695fa26a9894539852b1a5431c4e93943ade8a69d5bbbd2a565fe8c40d07fd59336c9de02b9d51416287d3ff4ae04092dcd68de478af36bd12757cdf
-
SSDEEP
12288:hMray90obgedwXO54Dnli7CbZSVaqvSv6YLV1YdT9i:XyHbged6O54Dnli71amh81YdT9i
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cae-12.dat family_redline behavioral1/memory/3460-15-0x0000000000890000-0x00000000008BE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4756 y2936507.exe 3460 k9175512.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y2936507.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y2936507.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k9175512.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4864 wrote to memory of 4756 4864 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe 84 PID 4864 wrote to memory of 4756 4864 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe 84 PID 4864 wrote to memory of 4756 4864 57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe 84 PID 4756 wrote to memory of 3460 4756 y2936507.exe 85 PID 4756 wrote to memory of 3460 4756 y2936507.exe 85 PID 4756 wrote to memory of 3460 4756 y2936507.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe"C:\Users\Admin\AppData\Local\Temp\57c7b6b1d432cb85d3a543b6744fa26c24f888885c21d48b00ab1cb7f8f4f649.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2936507.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9175512.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD59f0563d17bf9f60520c88b0535050c5e
SHA17d3a68cf75e74e8711ab9e1d3556a36faff206ff
SHA256d7e820dd6dafc41691a4dbc0168d3837ea8ff49d6d9d31cf0d81521c9063e7ca
SHA512a980be3e6e843f344face252995f8ad02ffa490230509c2d6329ee86a64ff537751858a0159279e44fb374eab6f0a6999805807e959edad03f2fd58291a93244
-
Filesize
168KB
MD5bf39d72105f904ba0dbf967cdabe1458
SHA10d0cc8c770402173931ec5d74fac117c4e5f9e2e
SHA2561c7869d733cfca38d87faebd465681b5211984a524b13bc766d2e2a5e068c56d
SHA512796ce2f2670d7a82f401bd7e02fa928d8404bed46a2ab9b53cbe06b905c70f48629195dcfe81228d82b882c963e3a5045fe1969e2a8911b5873177bb212f3553